Vectorized linear approximations for attacks on SNOW 3G Jing Yang 1 - - PowerPoint PPT Presentation

Vectorized linear approximations for attacks

• n SNOW 3G

Jing Yang1 Thomas Johansson1 Alexander Maximov2

• 1Dept. of Electrical and Information Technology, Lund University

2Ericsson Research, Lund, Sweden FSE ’2020 November, 2020

Outline

1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G

Linear Approximation of FSM Distinguishing Attack Correlation Attack

4 Conclusions

0 / 19

Outline

1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G

Linear Approximation of FSM Distinguishing Attack Correlation Attack

4 Conclusions

1 / 19

Confidentiality and Integrity Protection in Cellular Networks

◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC

◮ 128-bit security level

1 / 19

Confidentiality and Integrity Protection in Cellular Networks

◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC

◮ 128-bit security level

◮ 5G: 256-bit security algorithms

1 / 19

Confidentiality and Integrity Protection in Cellular Networks

◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC

◮ 128-bit security level

◮ 5G: 256-bit security algorithms ◮ One possible solution: reuse existing algorithms

◮ Security under the 256-bit key length should be investigated

1 / 19

Confidentiality and Integrity Protection in Cellular Networks

◮ Three standardized algorithms in LTE: SNOW 3G, AES, ZUC

◮ 128-bit security level

◮ 5G: 256-bit security algorithms ◮ One possible solution: reuse existing algorithms

◮ Security under the 256-bit key length should be investigated

◮ Contribution: give linear cryptanalysis of SNOW 3G

◮ Distinguishing attack 2172 ◮ Correlation attack 2177

1 / 19

Outline

1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G

Linear Approximation of FSM Distinguishing Attack Correlation Attack

4 Conclusions

2 / 19

SNOW 3G

◮ A stream cipher with a linear part and a non-linear part

s0 s2 s5 s11 s15 s1 α α-1

R1 R2 R3 S1 S2

z(t)

FSM LFSR

◮ Linear part: linear feedback shift register (LFSR) ◮ Non-linear part: finite state machine (FSM)

2 / 19

LFSR in SNOW 3G

s0 s2 s5 s11 s15 s1

α α-1

◮ Defined over GF(232), 16 cells × 32 bits / cell = 512 bits

3 / 19

LFSR in SNOW 3G

s0 s2 s5 s11 s15 s1

α α-1

◮ Defined over GF(232), 16 cells × 32 bits / cell = 512 bits ◮ Feedback polynomial: P(x) = αx16 + x14 + α−1x5 + 1 ∈ GF(232)[x]

◮ α is a root of a polynomial in GF(28)[x]

3 / 19

LFSR in SNOW 3G

s0 s2 s5 s11 s15 s1

α α-1

◮ Defined over GF(232), 16 cells × 32 bits / cell = 512 bits ◮ Feedback polynomial: P(x) = αx16 + x14 + α−1x5 + 1 ∈ GF(232)[x]

◮ α is a root of a polynomial in GF(28)[x]

◮ LFSR update: s(t+1)

i

= s(t)

i+1 (0 ≤ i ≤ 14),

s(t+1)

15

= α−1s(t)

11 + s(t) 2 + αs(t) 0 .

3 / 19

LFSR in SNOW 3G

s0 s2 s5 s11 s15 s1

α α-1

◮ Defined over GF(232), 16 cells × 32 bits / cell = 512 bits ◮ Feedback polynomial: P(x) = αx16 + x14 + α−1x5 + 1 ∈ GF(232)[x]

◮ α is a root of a polynomial in GF(28)[x]

◮ LFSR update: s(t+1)

i

= s(t)

i+1 (0 ≤ i ≤ 14),

s(t+1)

15

= α−1s(t)

11 + s(t) 2 + αs(t) 0 .

◮ s(t)

15 , s(t) 5 , s(t)

used to update FSM and generate keystream

3 / 19

FSM in SNOW 3G

R1 R2 R3 S1 S2

z(t) s0

(t)

s5

(t)

s15

(t) 4 / 19

FSM in SNOW 3G

R1 R2 R3 S1 S2

z(t) s0

(t)

s5

(t)

s15

(t)

◮ Keystream block: z(t) = (R1(t) ⊞ s(t)

15 ) ⊕ R2(t) ⊕ s(t)

4 / 19

FSM in SNOW 3G

R1 R2 R3 S1 S2

z(t) s0

(t)

s5

(t)

s15

(t)

◮ Keystream block: z(t) = (R1(t) ⊞ s(t)

15 ) ⊕ R2(t) ⊕ s(t)

◮ FSM update: R1(t+1) = R2(t)⊞32(R3(t) ⊕ s(t)

5 )

R2(t+1) = S1(R1(t)) R3(t+1) = S2(R2(t)) ◮ S1, S2 are 32-to-32 S-transforms

4 / 19

S-transforms in FSM

Sbox Sbox Sbox Sbox MixColumn

w0 w1 w2 w3 r0 r1 r2 r3

5 / 19

S-transforms in FSM

Sbox Sbox Sbox Sbox MixColumn

w0 w1 w2 w3 r0 r1 r2 r3

◮ S1 = L1 · SR, SR is the AES S-box

    r0 r1 r2 r3     =     x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x     ·     SR(w0) SR(w1) SR(w2) SR(w3)    

5 / 19

S-transforms in FSM

Sbox Sbox Sbox Sbox MixColumn

w0 w1 w2 w3 r0 r1 r2 r3

◮ S1 = L1 · SR, SR is the AES S-box

    r0 r1 r2 r3     =     x x + 1 1 1 1 x x + 1 1 1 1 x x + 1 x + 1 1 1 x     ·     SR(w0) SR(w1) SR(w2) SR(w3)    

◮ S2 = L2 · SQ, SQ is derived from the Dickson polynomials

    r0 r1 r2 r3     =     y y + 1 1 1 1 y y + 1 1 1 1 y y + 1 y + 1 1 1 y     ·     SQ(w0) SQ(w1) SQ(w2) SQ(w3)    

5 / 19

Outline

1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G

Linear Approximation of FSM Distinguishing Attack Correlation Attack

4 Conclusions

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

◮ Linear approximation: z = NF(s) = LF(s) + e [biased noise]

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

◮ Linear approximation: z = NF(s) = LF(s) + e [biased noise]

◮ Consider general vectorized linear approximation

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

◮ Linear approximation: z = NF(s) = LF(s) + e [biased noise]

◮ Consider general vectorized linear approximation ◮ e has distribution D, the SEI (Squared Euclidean Imbalance): ǫ = |D| ·

|D|−1

• e=0
• D(e) − 1

|D| 2

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

◮ Linear approximation: z = NF(s) = LF(s) + e [biased noise]

◮ Consider general vectorized linear approximation ◮ e has distribution D, the SEI (Squared Euclidean Imbalance): ǫ = |D| ·

|D|−1

• e=0
• D(e) − 1

|D| 2 ◮ Required Samples: n = O(1/ǫ) to distinguish e from random

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

◮ Linear approximation: z = NF(s) = LF(s) + e [biased noise]

◮ Consider general vectorized linear approximation ◮ e has distribution D, the SEI (Squared Euclidean Imbalance): ǫ = |D| ·

|D|−1

• e=0
• D(e) − 1

|D| 2 ◮ Required Samples: n = O(1/ǫ) to distinguish e from random

6 / 19

Basics for Linear Cryptanalysis of Stream Ciphers

◮ Basic Idea: approximate non-linear components as linear

• nes, further derive some linear relationships, involving:

◮ LFSR states and keystream symbols⇒ Correlation attacks ◮ Keystream symbols only ⇒ Distinguishing attacks

◮ Linear approximation: z = NF(s) = LF(s) + e [biased noise]

◮ Consider general vectorized linear approximation ◮ e has distribution D, the SEI (Squared Euclidean Imbalance): ǫ = |D| ·

|D|−1

• e=0
• D(e) − 1

|D| 2 ◮ Required Samples: n = O(1/ǫ) to distinguish e from random

◮ Key Point: to find a good approximation with a large bias

6 / 19

Linear Approximation of FSM in SNOW 3G

R1 R2 R3 S1 S2

z(t) s0

(t)

s5

(t)

s15

(t) 7 / 19

Linear Approximation of FSM in SNOW 3G

R1 R2 R3 S1 S2

z(t) s0

(t)

s5

(t)

s15

(t)

◮ Explore linear expression including only s15, s5, s0, z

• i∈I

(c(t+i)

z

z(t+i) ⊕ c(t+i)

15

s(t+i)

15

⊕ c(t+i)

5

s(t+i)

5

⊕ c(t+i) s(t+i) )

◮ c(t+i)

z

, c(t+i)

15

, c(t+i)

5

, c(t+i) are linear masking matrices

7 / 19

Linear Approximation of FSM in SNOW 3G

R1 R2 R3 S1 S2

z(t) s0

(t)

s5

(t)

s15

(t)

◮ Explore linear expression including only s15, s5, s0, z

• i∈I

(c(t+i)

z

z(t+i) ⊕ c(t+i)

15

s(t+i)

15

⊕ c(t+i)

5

s(t+i)

5

⊕ c(t+i) s(t+i) )

◮ c(t+i)

z

, c(t+i)

15

, c(t+i)

5

, c(t+i) are linear masking matrices

◮ The SEI of it evaluates the quality of the approximation

◮ Find good time set I and masking matrices

7 / 19

Linear Approximation of FSM

Consider 3 consecutive keystream blocks to cancel out R1, R2, R3

Registers update and recursion at three time instances

R2(t+1) = L1 · SR(R1(t)) R1(t−1) = S−1

R · L−1 1 (R2(t))

R3(t+1) = L2 · SQ(R2(t)) R2(t−1) = S−1

Q · L−1 2 (R3(t))

R1(t+1) = R2(t) ⊞32 (R3(t) ⊕ s(t)

5 )

8 / 19

Linear Approximation of FSM

Consider 3 consecutive keystream blocks to cancel out R1, R2, R3

Registers update and recursion at three time instances

R2(t+1) = L1 · SR(R1(t)) R1(t−1) = S−1

R · L−1 1 (R2(t))

R3(t+1) = L2 · SQ(R2(t)) R2(t−1) = S−1

Q · L−1 2 (R3(t))

R1(t+1) = R2(t) ⊞32 (R3(t) ⊕ s(t)

5 )

Keystream symbols at 3 consecutive time instances

z(t−1) = (S−1

R L−1 1 (R2(t)) ⊞ s(t−1) 15

) ⊕ S−1

Q L−1 2 (R3(t)) ⊕ s(t−1)

z(t) = (R1(t) ⊞ s(t)

15 ) ⊕ R2(t) ⊕ s(t)

L−1

1 z(t+1) = L−1 1 (R2(t) ⊞ (R3(t) ⊕ s(t) 5 ) ⊞ s(t+1) 15

) ⊕ SR(R1(t)) ⊕ L−1

1 s(t+1)

L−1

1

is the inverse of L1, used as a linear masking matrix

8 / 19

24-bit Linear Approximation

Build 24-bit symbols: combining the first bytes

   z(t−1) z(t) L−1

1

z(t+1)   

[0,0,0]

• Sample at (t): Z(t)

=     (S−1

R (L−1 1

R2(t)) ⊞ s(t−1)

15

) ⊕ s(t−1)

15

⊕ S−1

Q (L−1 2

R3(t)) R2(t) L−1

1

[(R2(t) ⊞ (R3(t) ⊕ s(t)

5

) ⊞ s(t+1)

15

) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• 24-bit Noise N2(t)

⊕    (R1(t) ⊞ s(t)

15 ) ⊕ s(t) 15

SR(R1(t))   

[0,0,0]

• 24-bit Noise N1(t)

⊕     s(t−1) ⊕ s(t−1)

15

s(t)

15 ⊕ s(t)

L−1

1

[s(t+1) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• Contribution from LFSR S(t)

9 / 19

24-bit Linear Approximation

Build 24-bit symbols: combining the first bytes

   z(t−1) z(t) L−1

1

z(t+1)   

[0,0,0]

• Sample at (t): Z(t)

=     (S−1

R (L−1 1

R2(t)) ⊞ s(t−1)

15

) ⊕ s(t−1)

15

⊕ S−1

Q (L−1 2

R3(t)) R2(t) L−1

1

[(R2(t) ⊞ (R3(t) ⊕ s(t)

5

) ⊞ s(t+1)

15

) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• 24-bit Noise N2(t)

⊕    (R1(t) ⊞ s(t)

15 ) ⊕ s(t) 15

SR(R1(t))   

[0,0,0]

• 24-bit Noise N1(t)

⊕     s(t−1) ⊕ s(t−1)

15

s(t)

15 ⊕ s(t)

L−1

1

[s(t+1) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• Contribution from LFSR S(t)

◮ Z(t) = S(t), N(t) = N1(t) ⊕ N2(t)

9 / 19

24-bit Linear Approximation

Build 24-bit symbols: combining the first bytes

   z(t−1) z(t) L−1

1

z(t+1)   

[0,0,0]

• Sample at (t): Z(t)

=     (S−1

R (L−1 1

R2(t)) ⊞ s(t−1)

15

) ⊕ s(t−1)

15

⊕ S−1

Q (L−1 2

R3(t)) R2(t) L−1

1

[(R2(t) ⊞ (R3(t) ⊕ s(t)

5

) ⊞ s(t+1)

15

) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• 24-bit Noise N2(t)

⊕    (R1(t) ⊞ s(t)

15 ) ⊕ s(t) 15

SR(R1(t))   

[0,0,0]

• 24-bit Noise N1(t)

⊕     s(t−1) ⊕ s(t−1)

15

s(t)

15 ⊕ s(t)

L−1

1

[s(t+1) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• Contribution from LFSR S(t)

◮ Z(t) = S(t), N(t) = N1(t) ⊕ N2(t) ◮ N1(t), N2(t) independent

9 / 19

24-bit Linear Approximation

Build 24-bit symbols: combining the first bytes

   z(t−1) z(t) L−1

1

z(t+1)   

[0,0,0]

• Sample at (t): Z(t)

=     (S−1

R (L−1 1

R2(t)) ⊞ s(t−1)

15

) ⊕ s(t−1)

15

⊕ S−1

Q (L−1 2

R3(t)) R2(t) L−1

1

[(R2(t) ⊞ (R3(t) ⊕ s(t)

5

) ⊞ s(t+1)

15

) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• 24-bit Noise N2(t)

⊕    (R1(t) ⊞ s(t)

15 ) ⊕ s(t) 15

SR(R1(t))   

[0,0,0]

• 24-bit Noise N1(t)

⊕     s(t−1) ⊕ s(t−1)

15

s(t)

15 ⊕ s(t)

L−1

1

[s(t+1) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• Contribution from LFSR S(t)

◮ Z(t) = S(t), N(t) = N1(t) ⊕ N2(t) ◮ N1(t), N2(t) independent

◮ ǫ(N1(t)): loop over R1(t)[0], s(t)

15 [0] in O(216)

9 / 19

24-bit Linear Approximation

Build 24-bit symbols: combining the first bytes

   z(t−1) z(t) L−1

1

z(t+1)   

[0,0,0]

• Sample at (t): Z(t)

=     (S−1

R (L−1 1

R2(t)) ⊞ s(t−1)

15

) ⊕ s(t−1)

15

⊕ S−1

Q (L−1 2

R3(t)) R2(t) L−1

1

[(R2(t) ⊞ (R3(t) ⊕ s(t)

5

) ⊞ s(t+1)

15

) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• 24-bit Noise N2(t)

⊕    (R1(t) ⊞ s(t)

15 ) ⊕ s(t) 15

SR(R1(t))   

[0,0,0]

• 24-bit Noise N1(t)

⊕     s(t−1) ⊕ s(t−1)

15

s(t)

15 ⊕ s(t)

L−1

1

[s(t+1) ⊕ s(t)

5

⊕ s(t+1)

15

]    

[0,0,0]

• Contribution from LFSR S(t)

◮ Z(t) = S(t), N(t) = N1(t) ⊕ N2(t) ◮ N1(t), N2(t) independent

◮ ǫ(N1(t)): loop over R1(t)[0], s(t)

15 [0] in O(216)

◮ How about ǫ(N2(t))? (4 32-bit variables: R2, R3, s5, s15)

9 / 19

Bias Computing of ǫ(N2(t))

Split variables / noise expression into smaller fields [ZXM15]1[MJ05] 2

◮ Compute sub-distributions and combine them

1Zhang B., et al. Fast correlation attacks over extension fields, large-unit...CRYPTO’2015. 2Maximov A, et al. Fast computation of large distributions and... ASIACRYPT 2005. 10 / 19

Bias Computing of ǫ(N2(t))

Split variables / noise expression into smaller fields [ZXM15]1[MJ05] 2

◮ Compute sub-distributions and combine them

F1( R21, R31, s5

1, s15 1)

c1 c2 c3

F2( R22, R32, s5

2, s15 2)

F3( R23, R33, s5

3, s15 3)

F4( R24, R34, s5

4, s15 4)

◮ Consider carries between different bytes

1Zhang B., et al. Fast correlation attacks over extension fields, large-unit...CRYPTO’2015. 2Maximov A, et al. Fast computation of large distributions and... ASIACRYPT 2005. 10 / 19

Bias Computing of ǫ(N2(t))

Split variables / noise expression into smaller fields [ZXM15]1[MJ05] 2

◮ Compute sub-distributions and combine them

F1( R21, R31, s5

1, s15 1)

c1 c2 c3

F2( R22, R32, s5

2, s15 2)

F3( R23, R33, s5

3, s15 3)

F4( R24, R34, s5

4, s15 4)

◮ Consider carries between different bytes ◮ FWHT can be used to speed up

1Zhang B., et al. Fast correlation attacks over extension fields, large-unit...CRYPTO’2015. 2Maximov A, et al. Fast computation of large distributions and... ASIACRYPT 2005. 10 / 19

Bias Computing of ǫ(N2(t))

Split variables / noise expression into smaller fields [ZXM15]1[MJ05] 2

◮ Compute sub-distributions and combine them

F1( R21, R31, s5

1, s15 1)

c1 c2 c3

F2( R22, R32, s5

2, s15 2)

F3( R23, R33, s5

3, s15 3)

F4( R24, R34, s5

4, s15 4)

◮ Consider carries between different bytes ◮ FWHT can be used to speed up ◮ Complexity: O(240.53), bias: ǫ(N2) ≈ 2−29.391880

1Zhang B., et al. Fast correlation attacks over extension fields, large-unit...CRYPTO’2015. 2Maximov A, et al. Fast computation of large distributions and... ASIACRYPT 2005. 10 / 19

Bias Computing of ǫ(N2(t))

Split variables / noise expression into smaller fields [ZXM15]1[MJ05] 2

◮ Compute sub-distributions and combine them

F1( R21, R31, s5

1, s15 1)

c1 c2 c3

F2( R22, R32, s5

2, s15 2)

F3( R23, R33, s5

3, s15 3)

F4( R24, R34, s5

4, s15 4)

◮ Consider carries between different bytes ◮ FWHT can be used to speed up ◮ Complexity: O(240.53), bias: ǫ(N2) ≈ 2−29.391880 ◮ The total bias: ǫ(N) ≈ 2−37.37, ǫ(4 × N) ≈ 2−162.76.

1Zhang B., et al. Fast correlation attacks over extension fields, large-unit...CRYPTO’2015. 2Maximov A, et al. Fast computation of large distributions and... ASIACRYPT 2005. 10 / 19

Bias Computing of ǫ(N2(t))

Split variables / noise expression into smaller fields [ZXM15]1[MJ05] 2

◮ Compute sub-distributions and combine them

F1( R21, R31, s5

1, s15 1)

c1 c2 c3

F2( R22, R32, s5

2, s15 2)

F3( R23, R33, s5

3, s15 3)

F4( R24, R34, s5

4, s15 4)

◮ Consider carries between different bytes ◮ FWHT can be used to speed up ◮ Complexity: O(240.53), bias: ǫ(N2) ≈ 2−29.391880 ◮ The total bias: ǫ(N) ≈ 2−37.37, ǫ(4 × N) ≈ 2−162.76. Q: Is the derived bias correct?

1Zhang B., et al. Fast correlation attacks over extension fields, large-unit...CRYPTO’2015. 2Maximov A, et al. Fast computation of large distributions and... ASIACRYPT 2005. 10 / 19

Experimental Verification of the Bias

◮ Recall: for a distribution PX with bias ǫ, O(1/ǫ) samples are required to distinguish PX from random

11 / 19

Experimental Verification of the Bias

◮ Recall: for a distribution PX with bias ǫ, O(1/ǫ) samples are required to distinguish PX from random ◮ Idea: if with O(1/ǫ) samples, we can distinguish PX from random, the bias of PX could not be much smaller than ǫ

11 / 19

Experimental Verification of the Bias

◮ Recall: for a distribution PX with bias ǫ, O(1/ǫ) samples are required to distinguish PX from random ◮ Idea: if with O(1/ǫ) samples, we can distinguish PX from random, the bias of PX could not be much smaller than ǫ ◮ Tool: hypothesis testing

• H0 : PX = PN,

the computed noise distribution, H1 : PX = PU, the uniform distribution.

11 / 19

Experimental Verification of the Bias

◮ Recall: for a distribution PX with bias ǫ, O(1/ǫ) samples are required to distinguish PX from random ◮ Idea: if with O(1/ǫ) samples, we can distinguish PX from random, the bias of PX could not be much smaller than ǫ ◮ Tool: hypothesis testing

• H0 : PX = PN,

the computed noise distribution, H1 : PX = PU, the uniform distribution.

◮ Decision rule:

PX =

• PN,

if D(PX||PU) > D(PX||PN), PU, if D(PX||PU) < D(PX||PN). ◮ D(x||y): KL divergence (or relative entropy) between x, y ◮ The closer x, y is, the smaller D(x||y) would be

11 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

12 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

◮ Z(t) ⊕ S(t) = N (t), biased

12 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

◮ Z(t) ⊕ S(t) = N (t), biased

◮ Verify: collect samples Z(t) ⊕ S(t), verify it follows PN or PU

12 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

◮ Z(t) ⊕ S(t) = N (t), biased

◮ Verify: collect samples Z(t) ⊕ S(t), verify it follows PN or PU ◮ run 64 SNOW 3G instances up to 240 iterations, build samples

X(t) = Z(t) ⊕ S(t) =    (z(t−1) ⊕ s(t−1) ⊕ s(t−1)

15

)[0] (z(t) ⊕ s(t)

15 ⊕ s(t) 0 )[0]

(L−1

1 [z(t+1) ⊕ s(t+1)

⊕ s(t)

5

⊕ s(t+1)

15

])[0]   

12 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

◮ Z(t) ⊕ S(t) = N (t), biased

◮ Verify: collect samples Z(t) ⊕ S(t), verify it follows PN or PU ◮ run 64 SNOW 3G instances up to 240 iterations, build samples

X(t) = Z(t) ⊕ S(t) =    (z(t−1) ⊕ s(t−1) ⊕ s(t−1)

15

)[0] (z(t) ⊕ s(t)

15 ⊕ s(t) 0 )[0]

(L−1

1 [z(t+1) ⊕ s(t+1)

⊕ s(t)

5

⊕ s(t+1)

15

])[0]   

◮ Build random sequences: lower 24 bits of keystream symbols

12 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

◮ Z(t) ⊕ S(t) = N (t), biased

◮ Verify: collect samples Z(t) ⊕ S(t), verify it follows PN or PU ◮ run 64 SNOW 3G instances up to 240 iterations, build samples

X(t) = Z(t) ⊕ S(t) =    (z(t−1) ⊕ s(t−1) ⊕ s(t−1)

15

)[0] (z(t) ⊕ s(t)

15 ⊕ s(t) 0 )[0]

(L−1

1 [z(t+1) ⊕ s(t+1)

⊕ s(t)

5

⊕ s(t+1)

15

])[0]   

◮ Build random sequences: lower 24 bits of keystream symbols ◮ For every sequence, check which distribution it follows

12 / 19

Experimental Verification

◮ Recall: Z(t) = S(t) ⊕ N(t)

◮ Z(t) ⊕ S(t) = N (t), biased

◮ Verify: collect samples Z(t) ⊕ S(t), verify it follows PN or PU ◮ run 64 SNOW 3G instances up to 240 iterations, build samples

X(t) = Z(t) ⊕ S(t) =    (z(t−1) ⊕ s(t−1) ⊕ s(t−1)

15

)[0] (z(t) ⊕ s(t)

15 ⊕ s(t) 0 )[0]

(L−1

1 [z(t+1) ⊕ s(t+1)

⊕ s(t)

5

⊕ s(t+1)

15

])[0]   

◮ Build random sequences: lower 24 bits of keystream symbols ◮ For every sequence, check which distribution it follows ◮ Errors:

◮ TYPE I: a noise distribution is judged as random ◮ TYPE II: a random distribution is judged as biased

12 / 19

Results of the Experimental Verification

38 38.5 39 39.5 40 40.5 41 41.5 42

Length of Samples (log)

0.05 0.1 0.15 0.2 0.25 0.3 0.35

Error probabilities

TYPE I Errors TYPE II Errors

• Figure. Error probabilities under different lengths of samples

13 / 19

Results of the Experimental Verification

38 38.5 39 39.5 40 40.5 41 41.5 42

Length of Samples (log)

0.05 0.1 0.15 0.2 0.25 0.3 0.35

Error probabilities

TYPE I Errors TYPE II Errors

• Figure. Error probabilities under different lengths of samples

◮ Error probabilities decrease with the increase of sample length

13 / 19

Results of the Experimental Verification

38 38.5 39 39.5 40 40.5 41 41.5 42

Length of Samples (log)

0.05 0.1 0.15 0.2 0.25 0.3 0.35

Error probabilities

TYPE I Errors TYPE II Errors

• Figure. Error probabilities under different lengths of samples

◮ Error probabilities decrease with the increase of sample length ◮ Length 240: error probabilities < 0.1 Length 241.5: no errors (out of 21 sample sequences)

13 / 19

Results of the Experimental Verification

38 38.5 39 39.5 40 40.5 41 41.5 42

Length of Samples (log)

0.05 0.1 0.15 0.2 0.25 0.3 0.35

Error probabilities

TYPE I Errors TYPE II Errors

• Figure. Error probabilities under different lengths of samples

◮ Error probabilities decrease with the increase of sample length ◮ Length 240: error probabilities < 0.1 Length 241.5: no errors (out of 21 sample sequences) ◮ With (8 ∼ 16) · (1/ǫ(N)) (ǫ(N) ≈ 2−37.37) samples, we could distinguish the sequences with large success probabilities

13 / 19

Results of the Experimental Verification

38 38.5 39 39.5 40 40.5 41 41.5 42

Length of Samples (log)

0.05 0.1 0.15 0.2 0.25 0.3 0.35

Error probabilities

TYPE I Errors TYPE II Errors

• Figure. Error probabilities under different lengths of samples

◮ Error probabilities decrease with the increase of sample length ◮ Length 240: error probabilities < 0.1 Length 241.5: no errors (out of 21 sample sequences) ◮ With (8 ∼ 16) · (1/ǫ(N)) (ǫ(N) ≈ 2−37.37) samples, we could distinguish the sequences with large success probabilities ◮ The bias should be correct!

13 / 19

Distinguisher Constructions

◮ Distinguish the keystream sample sequence from random

14 / 19

Distinguisher Constructions

◮ Distinguish the keystream sample sequence from random ◮ Recall again: Z(t) ⊕ S(t) = N(t)

14 / 19

Distinguisher Constructions

◮ Distinguish the keystream sample sequence from random ◮ Recall again: Z(t) ⊕ S(t) = N(t)

◮ If S(t) can be canceled, Z(t) would become biased ◮ With enough samples, Z(t) can be distinguished from random

14 / 19

Distinguisher Constructions

◮ Distinguish the keystream sample sequence from random ◮ Recall again: Z(t) ⊕ S(t) = N(t)

◮ If S(t) can be canceled, Z(t) would become biased ◮ With enough samples, Z(t) can be distinguished from random

Q: How to cancel out S(t)?

14 / 19

Distinguisher Constructions

◮ Distinguish the keystream sample sequence from random ◮ Recall again: Z(t) ⊕ S(t) = N(t)

◮ If S(t) can be canceled, Z(t) would become biased ◮ With enough samples, Z(t) can be distinguished from random

Q: How to cancel out S(t)? ◮ Idea: find time set I with, usually 3,4 or 5, time instances

• t∈I

S(t) = 0,

• t∈I

Z(t) =

• t∈I

N(t)

14 / 19

Distinguisher Constructions

◮ Distinguish the keystream sample sequence from random ◮ Recall again: Z(t) ⊕ S(t) = N(t)

◮ If S(t) can be canceled, Z(t) would become biased ◮ With enough samples, Z(t) can be distinguished from random

Q: How to cancel out S(t)? ◮ Idea: find time set I with, usually 3,4 or 5, time instances

• t∈I

S(t) = 0,

• t∈I

Z(t) =

• t∈I

N(t) ◮ Equivalent to finding a multiple of the generating polynomial P(x) of weight 3, 4, or 5, with all coefficients being 1

14 / 19

Finalize the Distinguishing Attack

◮ Find a weight-4 multiple K(x) using method from [LJ14] 3

◮ Time and storage complexities O(2172)

3Löndahl, C., & Johansson, T. Improved algorithms for finding low-weight polynomial multiples in F2[x] and some cryptographic applications.DCC 2014. 15 / 19

Finalize the Distinguishing Attack

◮ Find a weight-4 multiple K(x) using method from [LJ14] 3

◮ Time and storage complexities O(2172) ◮ Suppose K(x) = Q(x)P(x) = xt4 + xt3 + xt2 + xt1 ◮ S(t1) ⊕ S(t2) ⊕ S(t3) ⊕ S(t4) = 0

3Löndahl, C., & Johansson, T. Improved algorithms for finding low-weight polynomial multiples in F2[x] and some cryptographic applications.DCC 2014. 15 / 19

Finalize the Distinguishing Attack

◮ Find a weight-4 multiple K(x) using method from [LJ14] 3

◮ Time and storage complexities O(2172) ◮ Suppose K(x) = Q(x)P(x) = xt4 + xt3 + xt2 + xt1 ◮ S(t1) ⊕ S(t2) ⊕ S(t3) ⊕ S(t4) = 0

◮ Any time shifts t of K(x), xtK(x), are still weight-4 multiples

◮ S(t+t1) ⊕ S(t+t2) ⊕ S(t+t3) ⊕ S(t+t4) = 0

3Löndahl, C., & Johansson, T. Improved algorithms for finding low-weight polynomial multiples in F2[x] and some cryptographic applications.DCC 2014. 15 / 19

Finalize the Distinguishing Attack

◮ Find a weight-4 multiple K(x) using method from [LJ14] 3

◮ Time and storage complexities O(2172) ◮ Suppose K(x) = Q(x)P(x) = xt4 + xt3 + xt2 + xt1 ◮ S(t1) ⊕ S(t2) ⊕ S(t3) ⊕ S(t4) = 0

◮ Any time shifts t of K(x), xtK(x), are still weight-4 multiples

◮ S(t+t1) ⊕ S(t+t2) ⊕ S(t+t3) ⊕ S(t+t4) = 0

New biased keystream samples, t = 0, 1, 2...

X(t) = Z(t+t1) ⊕ Z(t+t2) ⊕ Z(t+t3) ⊕ Z(t+t4) = N(t+t1) ⊕ N(t+t2) ⊕ N(t+t3) ⊕ N(t+t4)

3Löndahl, C., & Johansson, T. Improved algorithms for finding low-weight polynomial multiples in F2[x] and some cryptographic applications.DCC 2014. 15 / 19

Finalize the Distinguishing Attack

◮ Find a weight-4 multiple K(x) using method from [LJ14] 3

◮ Time and storage complexities O(2172) ◮ Suppose K(x) = Q(x)P(x) = xt4 + xt3 + xt2 + xt1 ◮ S(t1) ⊕ S(t2) ⊕ S(t3) ⊕ S(t4) = 0

◮ Any time shifts t of K(x), xtK(x), are still weight-4 multiples

◮ S(t+t1) ⊕ S(t+t2) ⊕ S(t+t3) ⊕ S(t+t4) = 0

New biased keystream samples, t = 0, 1, 2...

X(t) = Z(t+t1) ⊕ Z(t+t2) ⊕ Z(t+t3) ⊕ Z(t+t4) = N(t+t1) ⊕ N(t+t2) ⊕ N(t+t3) ⊕ N(t+t4) ◮ Bias: ǫ(X) = ǫ(4 × N) > 2−163 (regarded as independent)

◮ Data complexity O(2163)

3Löndahl, C., & Johansson, T. Improved algorithms for finding low-weight polynomial multiples in F2[x] and some cryptographic applications.DCC 2014. 15 / 19

Basics of Correlation Attacks

◮ Modeled as decoding problems in GF(2) or GF(2n)

16 / 19

Basics of Correlation Attacks

◮ Modeled as decoding problems in GF(2) or GF(2n)

LFSR ui yi ei

16 / 19

Basics of Correlation Attacks

◮ Modeled as decoding problems in GF(2) or GF(2n)

LFSR ui yi ei

◮ Information symbol: LFSR initial state s = (s0, s1, ..., sl−1)

16 / 19

Basics of Correlation Attacks

◮ Modeled as decoding problems in GF(2) or GF(2n)

LFSR ui yi ei

◮ Information symbol: LFSR initial state s = (s0, s1, ..., sl−1) ◮ Codeword: LFSR output u = (u0, u1, ..., uN−1) = sG, G ∈ GF(2n)l×N

16 / 19

Basics of Correlation Attacks

◮ Modeled as decoding problems in GF(2) or GF(2n)

LFSR ui yi ei

◮ Information symbol: LFSR initial state s = (s0, s1, ..., sl−1) ◮ Codeword: LFSR output u = (u0, u1, ..., uN−1) = sG, G ∈ GF(2n)l×N ◮ Received codeword: keystream samples y = (y0, y1, ..., yN−1), yi = ui ⊕ ei

16 / 19

Basics of Correlation Attacks

◮ Modeled as decoding problems in GF(2) or GF(2n)

LFSR ui yi ei

◮ Information symbol: LFSR initial state s = (s0, s1, ..., sl−1) ◮ Codeword: LFSR output u = (u0, u1, ..., uN−1) = sG, G ∈ GF(2n)l×N ◮ Received codeword: keystream samples y = (y0, y1, ..., yN−1), yi = ui ⊕ ei

◮ When R = log(2n) · l/N < C: can be successfully decoded

16 / 19

Correlation Attacks on SNOW 3G

◮ Decoding problems are defined over GF(2) or GF(2n)

◮ 24-bit approximation could not be directly used

17 / 19

Correlation Attacks on SNOW 3G

◮ Decoding problems are defined over GF(2) or GF(2n)

◮ 24-bit approximation could not be directly used

◮ Instead, we build a new 8-bit approximation by N′ = ΛN[0] ⊕ N[1] ⊕ ΓN[2]

17 / 19

Correlation Attacks on SNOW 3G

◮ Decoding problems are defined over GF(2) or GF(2n)

◮ 24-bit approximation could not be directly used

◮ Instead, we build a new 8-bit approximation by N′ = ΛN[0] ⊕ N[1] ⊕ ΓN[2]

◮ Best Λ = 0x18, Γ = 0x9c: ǫ(N ′) = 2−40.97

17 / 19

Correlation Attacks on SNOW 3G

◮ Decoding problems are defined over GF(2) or GF(2n)

◮ 24-bit approximation could not be directly used

◮ Instead, we build a new 8-bit approximation by N′ = ΛN[0] ⊕ N[1] ⊕ ΓN[2]

◮ Best Λ = 0x18, Γ = 0x9c: ǫ(N ′) = 2−40.97

◮ The codeword and received codeword symbols:

ut = (Λ(s(t−1) ⊕ s(t−1)

15

) ⊕ s(t) ⊕ s(t)

15 ⊕ ΓL−1 1 [s(t+1)

⊕ s(t)

5

⊕ s(t+1)

15

])[0] yt = Λz(t−1)[0] ⊕ z(t)[0] ⊕ Γ(L−1

1 z(t+1))[0]

◮ Recover s according to the y sequence

◮ Preprocessing: generating parity checks ◮ Processing: decoding

17 / 19

Finalize the Correlation Attack [ZXM15]4

◮ Preprocessing: generating parity checks

◮ Generating parity checks involving fewer LFSR states ◮ Requires parity checks O(2171.67) ◮ Time/space complexity O(2176.56)

4Zhang B., et al. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. CRYPTO’2015. 18 / 19

Finalize the Correlation Attack [ZXM15]4

◮ Preprocessing: generating parity checks

◮ Generating parity checks involving fewer LFSR states ◮ Requires parity checks O(2171.67) ◮ Time/space complexity O(2176.56)

◮ Processing: decoding

◮ Build a distinguisher: would be biased if a guess is correct ◮ FWT can help to compute the bias ◮ Decoding complexity 2174.75, 160 bits are recovered

4Zhang B., et al. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. CRYPTO’2015. 18 / 19

Finalize the Correlation Attack [ZXM15]4

◮ Preprocessing: generating parity checks

◮ Generating parity checks involving fewer LFSR states ◮ Requires parity checks O(2171.67) ◮ Time/space complexity O(2176.56)

◮ Processing: decoding

◮ Build a distinguisher: would be biased if a guess is correct ◮ FWT can help to compute the bias ◮ Decoding complexity 2174.75, 160 bits are recovered

◮ 16-bit correlation attack: same complexity, fewer parity checks

4Zhang B., et al. Fast correlation attacks over extension fields, large-unit linear approximation and cryptanalysis of SNOW 2.0. CRYPTO’2015. 18 / 19

Outline

1 Motivation 2 The SNOW 3G Cipher 3 Linear Cryptanalysis of SNOW 3G

Linear Approximation of FSM Distinguishing Attack Correlation Attack

4 Conclusions

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

◮ 24-bit linear approximation of bias 2−37

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

◮ 24-bit linear approximation of bias 2−37 ◮ Verified the bias by collecting a large number of samples

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

◮ 24-bit linear approximation of bias 2−37 ◮ Verified the bias by collecting a large number of samples ◮ Distinguishing attack with complexity 2172

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

◮ 24-bit linear approximation of bias 2−37 ◮ Verified the bias by collecting a large number of samples ◮ Distinguishing attack with complexity 2172 ◮ Correlation attack with complexity 2177

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

◮ 24-bit linear approximation of bias 2−37 ◮ Verified the bias by collecting a large number of samples ◮ Distinguishing attack with complexity 2172 ◮ Correlation attack with complexity 2177

◮ If the key length in SNOW 3G would be increased to 256 bits, there are academic attacks on it

19 / 19

Conclusions

◮ We give linear cryptanalysis of SNOW 3G

◮ 24-bit linear approximation of bias 2−37 ◮ Verified the bias by collecting a large number of samples ◮ Distinguishing attack with complexity 2172 ◮ Correlation attack with complexity 2177

◮ If the key length in SNOW 3G would be increased to 256 bits, there are academic attacks on it ◮ Not an immediate threat for 5G.

19 / 19

Thank you

Thank you for your attention!

19 / 19